OIDC Relying Party

About

This authenticator acts as an OpenID Connect Relying Party, communicating with an external OpenID Connect Provider (OP). Supports OpenID Connect Authorization Code Flow.

Configuration

Authenticator Type: OIDCRP | OIDCAuthCodeFlowRP

Common Authenticator configuration can be found here.

Name Description Default value Mandatory

Name	Description	Default value
`discovery_metadata_url`	URL to the external OP.	N/A
`internal_http_destination`	ID of the internal http client used to communicate with the external OP.	N/A
`custom_identifier`	Custom identifier to be set inte the event logging entry	N/A
`client_id`	Client id used when communicating with the OP.	N/A
`client_secret`	Client secret used when communicating with the OP token endpoint.	N/A
`redirect_uri`	Redirect URI used when communicating with the OP.	N/A
`scope`	OIDC scope used when communicating with the OP.	`"openid"`
`enable_user_info_lookup`	If userinfo endpoint should be contacted. (The userinfo endpoint must also be part of the discovery metadata)	`true`
`jwt_subject_parameter`	JWT parameter used as subject/username.	`"sub"`
`use_raw_claims`	If the collected claims should be presented "raw" on the global state object. Otherwise the claims will be "stringified".	`false`
`id_token_header_prefix`	Prefix to use for the id_token header claims.	`""`
`id_token_payload_prefix`	Prefix to use for the id_token payload claims.	`""`
`userinfo_prefix`	Prefix to use for the userinfo claims.	`""`
`disable_nonce`	Disables sending nonce as part of the requests.	`false`

discovery_metadata_url

URL to the external OP.

N/A

internal_http_destination

ID of the internal http client used to communicate with the external OP.

N/A

custom_identifier

Custom identifier to be set inte the event logging entry

N/A

client_id

Client id used when communicating with the OP.

N/A

client_secret

Client secret used when communicating with the OP token endpoint.

N/A

redirect_uri

Redirect URI used when communicating with the OP.

N/A

scope

OIDC scope used when communicating with the OP.

"openid"

enable_user_info_lookup

If userinfo endpoint should be contacted. (The userinfo endpoint must also be part of the discovery metadata)

true

jwt_subject_parameter

JWT parameter used as

subject/username.

"sub"

use_raw_claims

If the collected claims should be presented "raw" on the global state object. Otherwise the claims will be "stringified".

false

id_token_header_prefix

Prefix to use for the id_token header claims.

""

id_token_payload_prefix

Prefix to use for the id_token payload claims.

""

userinfo_prefix

Prefix to use for the userinfo claims.

""

disable_nonce

Disables sending nonce as part of the requests.

false

{
    "id": "oidc_rp",
    "type": "OIDCRP",
    "config": {
        "base_path": "/oidcrp/authn",
        "custom_identifier": "fortifiedid",
        "discovery_metadata_url": "https://192.168.50.228/oidc/mycompany/.well-known/openid-configuration",
        "internal_http_destination": "oidcrp_httpclient",
        "client_id": "my_client_id",
        "client_secret": "my_client_secret",
        "redirect_uri": "http://127.0.0.1:8080/oidcrp/authn/oidc_rp",
        "jwt_subject_parameter": "given_name"	
    }
}

Logging

On a successful authentication, an event is logged containing the following:

WEB_100021
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (issuer from metadata)
SOURCE_USER_NAME (jwt_subject_parameter from any of the claims)
SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (custom_identifier if configured)

Data exposed to global state

After successful validation, data stored in the global state are:

id_token header claims
id_token payload claims
userinfo claims

PreviousImplicit Flow NextUI

Last updated 11 months ago